User Authentication and Authorization
This chapter discusses User Authentication and Authorization, and how to configure this feature on the Cisco Mobile Wireless Home Agent.
This chapter includes the following sections:
•User Authentication and Authorization
•Skip HA-CHAP with MN-FA Challenge Extension (MFCE)
•Authentication and Authorization RADIUS Attributes
User Authentication and Authorization
The Home Agent can be configured to authenticate a user using either PAP or CHAP. The Foreign Agent Challenge procedures are supported (RFC 3012) and includes the following extensions:
•Mobile IP Agent Advertisement Challenge Extension
•MN-FA Challenge Extension
•MN-AAA Authentication Extension
Note PAP is used if no MN-AAA extension is present, and CHAP is always used if MN-AAA is present. The password for PAP users can be set using the ip mobile home-agent aaa user-password command.
When configured to authenticate the user with the Home AAA-server, if the Home Agent receives the MN-AAA Authentication Extension in the Registration Request, the contents are used. If the extension is absent, a default configurable password is used. This default password is a locally defined string such as "vendor".
The HA accepts and maintains the MN-FA challenge extension and MN-AAA authentication extension (if present) from the original registration for use in later registration updates.
If the Home Agent does not receive a response from the AAA server within a configurable timeout, the message can be retransmitted a configurable number of times. You can configure the Home Agent to communicate with a group of AAA servers; the server is chosen in round-robin fashion from the available configured servers.
To configure authorization and authentication on the HA, perform the following tasks:
|
|
|
Step 1 |
Router(config)# ip mobile host {lower [upper] | nai
string {static-address {addr1 [addr2] [addr3]
[addr4] [addr5] | local-pool name} | address {addr |
pool {local name | dhcp-proxy-client [dhcp-server
addr]} {interface name | virtual-network
network_address mask} [skip-chap | aaa [load-sa
[permanent]] [authorized-pool pool name]
[skip-aaa-reauthentication] [care-of-access acl]
[lifetime seconds]
|
Configures the mobile host or mobile node group on the HA. If the aaa load-sa option is configured, the Home Agent caches the SA locally on first registration. In this case the Home Agent will not invoke the RADIUS authorization procedure for re-registration. If aaa load-sa skip-aaa-reauthentication is configured, the Home Agent caches the SA locally on first registration; however, the Home Agent will not invoke HA-CHAP procedure for re-registration. The aaa load-sa permanent option is not supported on the Mobile Wireless Home Agent, and should not be configured. |
The HA supports 3GPP2 and Cisco proprietary security extension attributes in RADIUS access accept packet. Sending 3GPP2 MN-HA SPI in Access Request to RADIUS server and processing the MN-HA Secure Key Received from RADIUS server is configurable on HA.
Cisco IOS provides a mechanism to authorize subscribers based on their realm. This can be done using a feature called "Subscriber Authorization", the details of which can be found here: http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455cf0.html#wp1056463.
Note The Home Agent will accept user profiles, it will not authorize a mobile subscriber based on information returned in a group profile.
Skip HA-CHAP with MN-FA Challenge Extension (MFCE)
This feature allows the HA to download a Security Association (SA) and cache it locally on the disk, rather than performing a HA-CHAP procedure with Home AAA server to download the SA for the user for each registration request. When a user first registers with the HA, the HA does HA-CHAP (MN-AAA authentication), downloads the SA, and caches it locally. On subsequent re-registration requests, the HA uses the locally cached SA to authenticate the user. The SA cache entry is removed when the binding for the user is deleted.
You can configure this feature on the HA using the ip mobile host command, noted above.
Configuration Examples
The following example configures a mobile node group to reside on virtual network 10.99.1.0 and retrieve and cache mobile node security associations from a AAA server. The cached security association is then used for subsequent registrations.
ip mobile host 10.99.1.1 10.99.1.100 virtual-network 10.99.1.0 aaa load-sa
The following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached permanently until cleared manually.
ip mobile host nai @cisco.com address pool local mobilenodes virtual network 10.2.0.0
255.255.0.0 aaa load-sa permanent lifetime 180
Authentication and Authorization RADIUS Attributes
The Home Agent, and the RADIUS server support RADIUS attributes listed in Table 1 for authentication and authorization services.
Table 1 Authentication and Authorization AVPs Supported by Cisco IOS
Authentication and Authorization AVPs Supported By Cisco IOS Name
|
|
|
|
|
|
Allowed In Access Access Request Accept
|
User-Name |
1 |
NA |
64 |
string |
User name for authentication and authorization. |
Yes |
No |
User-Password |
2 |
NA |
>=18 && <=130 |
string |
Password for authentication when using PAP. Password configured using CLI at Home Agent. |
Yes |
No |
CHAP-Password |
3 |
NA |
19 |
string |
CHAP password |
Yes |
No |
NAS-IP-Address |
4 |
NA |
4 |
IP address |
IP address of the HA interface used for communicating with RADIUS server. |
Yes |
No |
Service Type |
6 |
NA |
4 |
integer |
Type of service the user is getting. Supported values: • Outbound sent for PAP • Framed sent for CHAP • Framed received in both cases |
Yes |
Yes |
Framed-Protocol |
7 |
NA |
4 |
integer |
Framing protocol user is using. Sent for CHAP, received for PAP and CHAP. Supported values: •PPP |
Yes |
Yes |
Framed Compression |
13 |
NA |
4 |
integer |
Compression method Supported values: • 0 - None |
No |
Yes |
Framed-Routing |
10 |
NA |
4 |
integer |
Routing method Supported values: • 0 - None |
No |
Yes |
Vendor Specific |
26 |
NA |
|
|
Vendor specific attributes |
Yes |
Yes |
CHAP-Challenge (optional) |
60 |
NA |
>=7 |
string |
CHAP Challenge |
Yes |
No |
NAS-Port-Type |
61 |
NA |
4 |
integer |
Port Type Supported: • 0 - Async |
Yes |
No |
spi#n |
26/1 |
Cisco |
>=3 |
string |
n is a numeric identifier beginning with 0 which allows multiple SAs per user. Provides the Security Parameter Index (SPI), for authenticating a mobile user during MIP registration. The information is in the same syntax as the ip mobile secure host addr configuration command. Essentially, it contains the rest of the configuration command that follows that string, verbatim. |
No |
Yes |
static-ip-addresses |
26/1 |
Cisco |
>=3 |
string |
IP address list for static addresses for same NAI but multiple flows. |
No |
Yes |
static-ip-pool |
26/1 |
Cisco |
>=3 |
string |
IP address pool name for static address for same NAI with multiple flows. |
No |
Yes |
ip-addresses |
26/1 |
Cisco |
>=3 |
string |
IP address list used for dynamic address assignment. |
No |
Yes |
ip-pool |
26/1 |
Cisco |
>=3 |
string |
IP address pool name used for dynamic address assignment. |
No |
Yes |
dhcp-server |
26/1 |
Cisco |
>=3 |
string |
Get an address from the specified DHCP server. |
No |
Yes |
MN-HA SPI Key |
26/57 |
3GPP2 |
6 |
integer |
SPI for MN HA Shared Key. |
Yes |
No |
MN-HA Shared Key |
26/58 |
3GPP2 |
20 |
string |
Secure Key to authenticate MHAE. |
No |
Yes |